GDPR Webinar FAQ & Recap

We had a great turnout for our webinar around GDPR. As promised, here are the questions asked by our webinar attendees to learn more about GDPR and how is it going to affect them or their organizations.

Do we have the slides and the recording?

Do privacy statements need to be translated for each EU country being surveyed? – Anonymous

Our recommendation is to at least translate it in all the languages the survey is deployed in. For example, if you are deploying surveys in English, French, and German – our recommendation is that the GDPR privacy and compliance be translated in those 3 languages at least. This is not a hard requirement, but it’s our recommendation. This effectively captures the spirit if the “Informed Consent” articles of GDPR.

Does GDPR apply to surveys that are anonymous and identifiable data is not collected? – Peter Horvath

We think that this does apply. The EU courts have ruled that IP address is “Personal Data” – so it would almost impossible to do an online survey where IP address is not used or collected.

Is a DPA required from panel providers? – Randy Malone

Yes. Our position is that, if you are contracting with Panel Providers to redirect users – they must have a DPA with you. In cases where you are already using QuestionPro Audience to fill out your surveys, you don’t need one – because the overall DPA with QuestionPro and you will cover that automatically.

Does the GDPR Compliance in QP has to be enabled and filled in if the QuestionPro tool is used solely in the US for customers in the US? – Natalino Xuereb

No – If you are based in the US and all your respondents are in the US – GDPR does not really apply to you. That is why we’ve made the GDPR compliance an optional feature on our system. This is typically mandatory for EU companies or companies collecting data from EU residents.

What if the responder is an EU citizen not resident in the EU? Do these rules still apply? If so, can we simply exclude EU citizens from our sample? – Greg Lipper

Great question – In general, this becomes a matter of jurisdiction. GDPR applies to all EU residents – independent of citizenship. So, if you have EU citizens in – say Singapore – they will not have the same protection. We would argue that you exclude EU residents from your sample if you don’t want to have GDPR affect your research.

Who is the Questionpro DPO? – Peter Horvath

Are you seeing any local or state governments concerned about GDPR and can you share some examples? – Naveed Husain

So far US State and Local governments are not materially affected by GDPR. Partially because most United States state, local and federal agencies have their own data-protection and human subjects research rules that they need to abide by. In many cases, this might even conflict with GDPR regulations. Therefore, we would advise that US Gov agencies (Federal, State, and Local) continue to look to internal legal counsel for guidelines.

Do I, as a QuestionPro customer, have to enter our DPO’s contact information as well? – Peter

Yes – You do. We have screens for you to enter your Data Protection Officers’ contact information. This will be displayed to the survey respondent if they choose to contact you regarding their data or privacy.

How does one identify a breach? Is this when the consumers complain or there needs to be regular check mechanisms? – Anchal Dalmiya

GDPR does not really go into the mechanisms that must be in place for identifying breaches like IDS (Intrusion Detection Services) devices. It, however, mandates that consumers / affected parties be notified within 72 hours of a company identifying a breach. The regulation is around disclosure of the breach. It is expected that companies take security precautions and have a layered security approach to data – but that’s a technical issue and not a regulatory issue.

How do you identify a user requesting a delete? Based on email address? – Sietse van der Laan

We store cookies on the respondent’s browser instance. Not all surveys are sent via emails. We consider this as the point of interaction – the online browser experience. Using the cookies, we identify all the surveys the respondent has taken – and give them the option of requesting a delete or even view the data that the respondent has provided.

Is there a mechanism to auto-delete or auto-approve the workflow requests for deleting the responses? – Anonymous

At this point – No. We are intentionally making the process manual when we start off. Over time, as the GDPR regime take hold and depending upon the volume of RTBF (Right to be Forgotten) requests that come through, we probably will enable tools for our customers to auto-approve requests.

If as respondent takes surveys from multiple customers (of QuestionPro) how will the delete workflow work? – David Hicks

When a respondent see’s all the surveys – that he/she has taken via QuestionPro, they have the option of deleting a single response or all their data.

If its a single response – then the workflow for that Survey Admin will be triggered i.e. an email will be sent to the QuestionPro customer that own and administers that survey.

If the respondent requests all his data be removed, multiple workflow emails will be sent – depending upon, if each of the QuestionPro customers have turned on GDPR compliance or not.

In all cases, however, QuestionPro will automatically remove all the cookies associated with user immediately.

Much of the published work has been on roles, staffing, and contracts. Given that this is a data issue at its heart, can you please cover the ways in which data needs to be secured and transmitted in order to be compliant with GDPR? – Karlan Witt

GDPR specifically does not require a standard for storage of data and more importantly any threshold for encryption. However, GDPR states that there must be “data protection by design” – we interpret that to be encryption both at rest as well as in-flight. What this means is that data moving between systems must be encrypted and then when data is stored in any system, it must be encrypted at rest. We believe that if those two roles are followed, then we comply with the “data protection by design” mandate.

Some practical considerations are – using SSL and SSL ONLY for all data transfers – this includes SFTP and HTTPS as the two dominant protocols for moving data between systems. When data is stored (in databases or hard drives) – there must be protections in place for that data not to be visible or available without a user-generated key or at least a system generated key.

At QuestionPro, we have automatically moved all our Survey URL’s to SSL. So any data that the respondent gives is via a secure channel. All data that gets transmitted from QuestionPro servers to local machines (customer) is also secure via the same SSL mechanism. Data that is stored in QuestionPro servers are automatically encrypted at the database/storage level. So, data is only available and exposed through the os/application layer.

If customers are downloading data into laptops/computers, we recommend that clients use local storage encryption for encrypting the files / file-system that can only be unlocked based on a login/password. This will fulfill the “protection by design” philosophy.